Following the adoption of the GDPR in May 2018, the role of the Data Protection Officer (DPO) within a organisation has become even more important, focusing on guiding organisations safely through the compliance minefield of data protection legislation.
It is a mandatory requirement for public bodies and some commercial organisations responsible for large scale personal data processing, to appoint a DPO, who can bring some welcome clarity to the implementation of the legislation. But it’s a huge responsibility for one individual. Reports suggest that organisations from the financial, health and education sectors are struggling to meet demands, for example, with complaints up 160 percent since GDPR came into effect.
The role of the DPO may be undertaken by a dedicated DPO (who can be shared across several organisations) or an existing employee who must meet the requirements laid out in Articles 37-39. This stipulates that the individual must maintain their knowledge of legal requirements and be able to oversee compliance, monitoring informing and advising on data protection as well as acting as the single point of contact for the supervisory authority. It’s a position that demands both objectivity and immersion within the organisation making it a difficult role to fulfil.
Three important considerations when appointing the DPO is that they should be well resourced, have direct access to report to senior management, and that their other duties, if applicable, should not conflict with any other roles they hold. They require unimpeded access and cannot be penalised or dismissed for carrying out their responsibilities. This should provide them with the authority and line of sight to make the necessary changes to meet compliance obligations but the role is unlikely to be a popular one as there will no doubt come a time when difficult decisions need to be made.
Challenges for the DPO include:
- Data classification: All data should be categorised across the organisation with Personally Identifiable Information (PII) being discoverable, awarded sufficient protection and in some instances anonymised or encrypted. Processes then need to be put in place to maintain this classification going forward, requiring the DPO to become involved in transforming the data processing practices of the organisation.
- Decision making: the DPO is required to carry out or oversee the actioning of Data Protection Impact Assessments (DPIA) to determine the risks to data when the organisation embarks on new projects or installs new systems. This could see an assessment performed on the data privacy implications of a new product or service, for instance. The DPO is entitled to bring in relevant experts and gain assistance from data processors to inform their findings. This can see DPIAs perceived as a hindrance to the execution of projects.
- Data subject requests: under GDPR individuals have the right to know what information is retained on them, how it is being used and in certain cases disposal of their personal information. The DPO should ensure that mechanisms and processes exist to access, anonymise, export and dispose of data. Tracking down this data and reporting on it can cause real disruption to the organisation and deletion of such records can see the erosion of core databases used impacting sales and marketing.
- Incident response: in the event of a data breach involving personal information, the DPO should aid the controller in the reporting of the breach to the supervisory authority within 72 hours or provide a justifiable reason for the delay. This requires the aggregation of all the relevant information associated with the breach, including who was impacted and how, the potential ramifications, and a remediation plan. Failing to report can result in punitive fines of up to £16.5 million placing the DPO under intense pressure to ensure processes are in place that can facilitate rapid reporting.
- Monitoring: the DPO should regularly monitor for guidance updates and interpret these to ensure the organisation continues to remain compliant, requiring them to keep their legislative knowledge of data protection up to speed. They should also pass on this knowledge in the form of staff training programmes, requiring them to have a wide range of skillsets.
The DPO not only needs to have a wide set of skills (with experience ranging from the legal to the operational and even handling personnel), but also has needs to accommodate the demands of the organisation, the supervisory authority and the data subject. While he/she is employed by the organisation, they still need to maintain their independence, and their input can be seen as running counter to the interests of the organisation. This needs to change for data protection to become integral to the way the organisation operates.
To avoid being seen as bureaucratic, it’s imperative that the DPO be given the opportunity to integrate across an organisation. This may well require cultural change within the organisation. For example, data protection can be viewed as being the preserve of the IT team who provide the tools necessary to encrypt sensitive information and prevent data loss through compromise. A clear remit therefore needs to be put in place outlining how the DPO and IT team can work together to cover both the legal and operational aspects of data protection. Only then can the DPO begin to provide a positive contribution with data protection implemented effectively and efficiently.
If you are a DPO and would like help on overcoming your challenges, contact us today.